Hospital with repeat security failures hit with $218K HIPAA fine

Does your hospital permit employees to use a file-sharing app to store patients' protected health information? Better think again. A Massachusetts hospital is paying up and reevaluating its privacy and security policies after a file-sharing complaint and following a HIPAA breach.

St. Elizabeth's Medical Center in Brighton, Mass. – a member hospital of Steward Health Care system – will pay $218,400 to the Office for Civil Rights for alleged HIPAA violations. The settlement resulted from a 2012 complaint filed by hospital employees, stating that the medical center was using a Web-based document-sharing application to store data containing protected health information. Without adequately analyzing the security risks of this application, it put the PHI of nearly 500 patients at risk.

"Organizations must pay particular attention to HIPAA's requirements when using Internet-based document sharing applications," said Jocelyn Samuels, OCR director, in a July 10 statement announcing the settlement. "In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner."

It wasn't just the complaint that got St. Elizabeth's in hot water, however. A HIPAA breach reported by the medical center in 2014 also called attention to the lack of adequate security policies. The hospital notified OCR in August of last year of a breach involving unsecured PHI stored on the personal laptop and USB drive of a former hospital employee. The breach ultimately impacted 595 patients, according to a July 10 OCR bulletin.

As part of the settlement, St. Elizabeth's will also be required to "cure the gaps in the organization's HIPAA compliance program," OCR officials wrote in the bulletin. More specifically, this includes conducting a self-assessment of its employees' awareness and compliance with hospital privacy and security policies. Part of this assessment will involve "unannounced visits" to various hospital departments to assess policy implementations. Officials will also interview a total of 15 "randomly selected" employees with access to PHI. Additionally, at least three portable devices across each department with access to PHI will be inspected.

Then there's the policies and training piece part of the settlement. With this, St. Elizabeth's based on the assessment, will submit revised policies and training to HHS for approval.

"There are no indications that any patient data had been viewed or misused in any way," said a hospital spokesperson in an emailed statement. "St. Elizabeth's Medical Center has settled the matter regarding events that occurred in 2012 and 2014."

In addition to the filed complaint and the 2014 breach, the medical center also reported an earlier HIPAA breach in 2012 when paper records containing billing data, credit card numbers and security codes of nearly 7,000 patients were not properly shredded by the hospital. Some of the files containing the data were reportedly found blowing in a field nearby.

To date, OCR has levied nearly $26.4 million from covered entities and business associates found to have violated HIPAA privacy, security and breach notification rules.

The largest settlement to date was the whopping $4.8 million fine paid by New York Presbyterian Hospital and Columbia University Medical Center after a single physician accidentally deactivated an entire computer server, resulting in ePHI being posted on Internet search engines.